main.cf.j2 4.26 KB
Newer Older
Hinrikus Wolf's avatar
Hinrikus Wolf committed
1
2
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

3
inet_interfaces = {{ "loopback-only" if postfix_satellite_only else "all" }}
Lars Beckers's avatar
Lars Beckers committed
4
5
6
7
inet_protocols = all
myhostname = {{ ansible_fqdn }}
myorigin = /etc/mailname
mydestination = $myhostname localhost {{ postfix_domains | join(" ") }}
8
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ postfix_my_networks|join(" ") }}
9
10
11
12
relayhost = {{ postfix_relay_host }}
{% if postfix_transport_maps|bool %}
transport_maps = cdb:/etc/postfix/transport
{% endif %}
13
14
15

{% if not postfix_satellite_only %}

Lars Beckers's avatar
Lars Beckers committed
16
17
18
19
20
21
22
{% if postfix_domains|count > 0 %}
{% if postfix_prefer_lmtp %}
mailbox_transport = lmtp:unix:private/dovecot-lmtp
{% else %}
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
{% endif %}
{% endif %}
Hinrikus Wolf's avatar
Hinrikus Wolf committed
23

24
25
26
27
28
29
30
smtpd_sender_login_maps = proxy:pcre:/etc/postfix/login_maps.pcre
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

{% endif %}

Hinrikus Wolf's avatar
Hinrikus Wolf committed
31
append_dot_mydomain = no
Lars Beckers's avatar
Lars Beckers committed
32
33
biff = no
compatibility_level = 2
Hinrikus Wolf's avatar
Hinrikus Wolf committed
34
#delay_warning_time = 4h
Lars Beckers's avatar
Lars Beckers committed
35
36
37
disable_vrfy_command = yes
#enable_long_queue_ids = yes
mailbox_size_limit = 0
38
message_size_limit = {{ postfix_message_size_limit }}
Hinrikus Wolf's avatar
Hinrikus Wolf committed
39
readme_directory = no
Lars Beckers's avatar
Lars Beckers committed
40
41
recipient_delimiter = +
#strict_rfc821_envelopes = no
Hinrikus Wolf's avatar
Hinrikus Wolf committed
42

Lars Beckers's avatar
Lars Beckers committed
43
smtpd_banner = $myhostname ESMTP $mail_name
44
smtpd_relay_restrictions =
Hinrikus Wolf's avatar
Hinrikus Wolf committed
45
46
47
	permit_mynetworks
	permit_sasl_authenticated
	defer_unauth_destination
Lars Beckers's avatar
Lars Beckers committed
48
49

smtpd_use_tls = yes
50
51
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
52
smtpd_tls_security_level = may
Lars Beckers's avatar
Lars Beckers committed
53
54
55
56
57
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = {{ postfix_tls_cert }}
smtpd_tls_key_file = {{ postfix_tls_key }}
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
58
59
60
{% if postfix_enable_mta_sts %}
smtp_tls_policy_maps = socketmap:unix:mta-sts/mta-sts.sock:postfix
{% endif %}
61
{% if not postfix_satellite_only %}
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
smtpd_tls_protocols = {{ postfix_tls_protocols }}
smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
{% if postfix_tls_mandatory_ciphers %}
smtpd_tls_mandatory_ciphers = {{ postfix_tls_mandatory_ciphers }}
{% endif %}
{% if postfix_tls_preempt_cipherlist %}
tls_preempt_cipherlist = {{ 'yes' if postfix_tls_preempt_cipherlist else 'no' }}
{% endif %}
{% if postfix_tls_eecdh_grade %}
smtpd_tls_eecdh_grade = {{ postfix_tls_eecdh_grade }}
{% endif %}
{% if postfix_tls_high_cipherlist %}
tls_high_cipherlist = {{ postfix_tls_high_cipherlist }}
{% endif %}
{% if postfix_tls_medium_cipherlist %}
tls_medium_cipherlist = {{ postfix_tls_medium_cipherlist }}
{% endif %}
{% if postfix_tls_dh_file %}
smtpd_tls_dh1024_param_file = /etc/postfix/dh.pem
{% endif %}
82
tls_ssl_options = NO_COMPRESSION
83
{% endif %}
Lars Beckers's avatar
Lars Beckers committed
84

85
86
alias_maps = cdb:/etc/aliases
alias_database = cdb:/etc/aliases
Lars Beckers's avatar
Lars Beckers committed
87
virtual_alias_maps = cdb:/etc/postfix/virtual
Hinrikus Wolf's avatar
Hinrikus Wolf committed
88

Lars Beckers's avatar
Lars Beckers committed
89
90
{% if postfix_virtual_domains|count > 0 %}
virtual_mailbox_domains = {{ postfix_virtual_domains | join(", ") }}
Hinrikus Wolf's avatar
Hinrikus Wolf committed
91
92
93
94
95
virtual_mailbox_base = /var/vmail/
virtual_mailbox_limit = 512000000
virtual_minimum_uid = 5000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_gid_maps = static:5000
Lars Beckers's avatar
Lars Beckers committed
96
{% endif %}
Hinrikus Wolf's avatar
Hinrikus Wolf committed
97

98
99
100
101
{% set _x = postfix_notify_classes.extend(["resource", "software"]) %}
notify_classes = {{ postfix_notify_classes|unique|join(", ") }}

{% if postfix_enable_postscreen and not postfix_satellite_only %}
Hinrikus Wolf's avatar
Hinrikus Wolf committed
102
postscreen_access_list = permit_mynetworks
Lars Beckers's avatar
Lars Beckers committed
103
104
105
                         cidr:/etc/postfix/postscreen_access.cidr
{% if postfix_enable_memcached %}
postscreen_cache_map = memcache:/etc/postfix/postscreen_cache
106
proxy_write_maps = proxy:btree:/var/lib/postfix/postscreen_cache
Lars Beckers's avatar
Lars Beckers committed
107
108
109
110
{% else %}
postscreen_cache_map = proxy:btree:/var/lib/postfix/postscreen_cache
{% endif %}

Hinrikus Wolf's avatar
Hinrikus Wolf committed
111
112
postscreen_blacklist_action = drop
postscreen_greet_action = enforce
Lars Beckers's avatar
Lars Beckers committed
113
114
# postscreen_whitelist_interfaces = static:all
# postscreen_greet_banner = $smtpd_banner
Hinrikus Wolf's avatar
Hinrikus Wolf committed
115
postscreen_pipelining_enable = yes
Lars Beckers's avatar
Lars Beckers committed
116
# postscreen_pipelining_action = enforce
Hinrikus Wolf's avatar
Hinrikus Wolf committed
117
postscreen_non_smtp_command_enable = yes
Lars Beckers's avatar
Lars Beckers committed
118
# postscreen_non_smtp_command_action = drop
Hinrikus Wolf's avatar
Hinrikus Wolf committed
119
120
postscreen_bare_newline_enable = yes
postscreen_bare_newline_action = drop
121

Lars Beckers's avatar
Lars Beckers committed
122
123
124
125
126
127
128
postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -1
postscreen_dnsbl_sites =
{% for site in postfix_dnsbl_sites %}
	{{ site.name }}*{{ site.modifier|default(1) }}
{% endfor %}
129
{% endif %}